Summary

Cisco Identity Services Engine (ISE) contains a set of default credentials for its underlying database. A remote attacker could use those credentials to modify the device configuration and settings or gain complete administrative control of the device.

Cisco has released software updates that address this vulnerability. There is no workaround for this vulnerability.

Based on the output of the show application version ise on the previous example, the installed Cisco ISE release is 1.0.4.588.

On the main login page of the Cisco ISE web-based interface, the version information is displayed under the "Identity Services Engine" heading.

From the Cisco ISE web-based interface, log in and click on the "Help" button located at the bottom left corner of the screen. From the resulting menu, select "About Identity Services Engine". Version information is displayed on the resulting window under the "Identity Services Engine" heading.

Products Confirmed Not Vulnerable

No other Cisco products are currently known to be affected by this vulnerability.

Details

The Cisco Identity Services Engine provides an attribute-based access control solution that combines authentication, authorization, and accounting (AAA); posture; profiling; and guest management services on a single platform. Administrators can centrally create and manage access control policies for users and endpoints in a consistent fashion, and gain end-to-end visibility into everything that is connected to the network.

The Cisco ISE contains a set of default credentials for its underlying database. A remote attacker could use those credentials to modify the device configuration and settings or gain complete administrative control of the device.

This vulnerability is documented in Cisco bug ID CSCts59135(registered customers only) and has been assigned the CVE identifier CVE-2011-3290.

Fixed Software

When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.

Cisco ISE release 1.0.4.573 is available as either an ISO image containing a complete installation image, which can be used for a new install or for completely reimaging an existing installation (filename is ise-1.0.4.573.i386.iso), or as an application bundle that can be used to upgrade an existing Cisco ISE release 1.0 (1.0.3.377) or Cisco ISE release 1.0MR (1.0.4.558) installation to Cisco ISE release 1.0.4.573 (filename is ise-appbundle-1.0.4.573.i386.tar.gz).

On installation, either as a clean install from the ISO image or application bundle for upgrading an existing install, Cisco ISE release 1.0.4.573 will:

remove the existing database default credentials, and

request the user to provide new database credentials

Exploitation and Public Announcements

The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.

This vulnerability was reported to Cisco by Andrey Ovrashko and Sergey Bondarenko of BMS Consulting, Ukraine. Cisco would like to thank Andrey Ovrashko, Sergey Bondarenko and BMS Consulting for reporting this vulnerability and for working with us towards a coordinated disclosure of the vulnerability.

Cisco Security Vulnerability Policy

To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.

Cisco Security Vulnerability Policy

To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.